Key Takeaway
CVE-2025-40536 is an authentication bypass vulnerability in SolarWinds Web Help Desk that allows unauthenticated remote attackers to access restricted application functionality without credentials. Successful exploitation can lead to data theft, privilege escalation, and lateral movement through connected enterprise systems. CISA has added the flaw to its Known Exploited Vulnerabilities catalog and requires federal agencies to patch by February 15, 2026.
CVE-2025-40536: SolarWinds Web Help Desk Authentication Bypass
CVE ID: CVE-2025-40536 Vendor: SolarWinds Product: Web Help Desk Vulnerability Type: Security Control Bypass / Authentication Bypass Attack Vector: Network (unauthenticated remote exploitation) CISA KEV Patch Deadline (Federal Agencies): 2026-02-15
Vulnerability Overview
SolarWinds Web Help Desk contains an authentication bypass vulnerability tracked as CVE-2025-40536. The flaw allows an unauthenticated remote attacker to access functionality that should require valid credentials. No authentication, no prior access, and no user interaction are required to trigger the condition.
The vulnerability is classified as a security control bypass, meaning the application's access enforcement logic can be circumvented. Attackers who successfully exploit this flaw can reach restricted application features directly, bypassing the login and authorization layers that would normally gate that access.
Technical Details
SolarWinds Web Help Desk is an IT service management (ITSM) platform widely deployed by enterprises and government agencies to manage internal ticketing, asset tracking, and change management workflows. It operates as a web-based application and is frequently exposed to internal networks—and in some deployments, to external-facing infrastructure.
The bypass in CVE-2025-40536 targets the application's security control layer rather than a specific authenticated endpoint. This class of vulnerability typically arises from flawed request routing, improper enforcement of authentication middleware, or missing authorization checks on specific API endpoints or URL paths. An attacker can craft requests that reach protected functionality without supplying valid session tokens or credentials.
A CVSS score has not been publicly confirmed at this time, but the unauthenticated remote exploitation vector and the access to restricted functionality place the severity in the high-to-critical range under standard scoring methodology.
Real-World Impact
Successful exploitation of CVE-2025-40536 can produce several high-severity outcomes depending on what restricted functionality is exposed:
- Data exfiltration: Web Help Desk instances contain sensitive ticket data, employee records, asset inventories, and potentially credentials or configuration details submitted through support workflows.
- Privilege escalation: Access to administrative or configuration functionality without credentials could allow attackers to create privileged accounts, modify workflows, or alter system settings.
- Lateral movement: ITSM platforms often integrate with Active Directory, email systems, and endpoint management tools. Unauthorized access to Web Help Desk can serve as a pivot point into connected infrastructure.
- Persistence: An attacker who reaches administrative functionality can establish persistent access mechanisms that survive credential resets and initial incident response.
SolarWinds products have historically been targeted in high-profile supply chain and network intrusion campaigns. The 2020 SUNBURST attack, attributed to APT29 (Cozy Bear), compromised SolarWinds' Orion build pipeline and affected thousands of organizations, including U.S. federal agencies. While CVE-2025-40536 is an application-layer flaw in a different product, the vendor's elevated threat profile makes timely patching a priority.
CISA has added CVE-2025-40536 to the Known Exploited Vulnerabilities (KEV) catalog and mandated that U.S. federal agencies apply the patch by February 15, 2026. Organizations outside the federal government should treat this timeline as a ceiling, not a target.
Affected Versions
SolarWinds has not publicly disclosed the full version range affected at the time of this advisory. Organizations running any version of SolarWinds Web Help Desk should consult the SolarWinds Security Advisory portal and apply the latest available update without delay.
Patching and Mitigation Guidance
1. Apply the official SolarWinds security update immediately. SolarWinds has released a fix for CVE-2025-40536. Retrieve the update directly from the SolarWinds Customer Portal and follow the vendor's upgrade documentation. Verify the patch was applied successfully before restoring full network access to the application.
2. Restrict external network access to Web Help Desk until patched. If your Web Help Desk instance is accessible from outside the corporate network or from untrusted network segments, implement firewall rules or reverse proxy controls to block external access immediately. Place the application behind a VPN or zero-trust access gateway.
3. Audit application and web server logs for unauthorized access. Review logs for requests to administrative endpoints, configuration pages, or API paths that were accessed without a corresponding authenticated session. Look for anomalous source IPs, unusual request patterns, and any account creation or configuration change events that cannot be attributed to authorized activity.
4. Rotate credentials and review integrations. If exploitation cannot be ruled out, rotate all credentials stored in or connected to Web Help Desk, including Active Directory service accounts, SMTP credentials, and API keys used by integrations.
5. Monitor vendor advisories for updated CVSS scoring and IOCs. SolarWinds may publish updated technical details, indicators of compromise, or revised affected version ranges. Subscribe to the SolarWinds Security Advisory RSS feed and CISA's KEV updates to receive changes as they are published.
Original Source
CISA KEV
Related Articles
CVE Pending: Critical Vulnerability in Anthropic's Claude Code Discovered Days After Source Code Leak
Adversa AI discovered a critical vulnerability in Anthropic's Claude Code agentic coding assistant within days of Anthropic accidentally leaking the product's source code. Claude Code operates with elevated system privileges in developer environments, making exploitation potentially severe — including credential theft, CI/CD pipeline manipulation, and lateral movement. Organizations should audit deployments, rotate credentials, and apply patches immediately once Anthropic releases a fix.
CVE-2024-6387: OpenSSH regreSSHion RCE Flaw Exposes Millions of Linux Servers to Unauthenticated Root Access
CVE-2024-6387 (regreSSHion) is a signal handler race condition in OpenSSH sshd versions 8.5p1 through 9.7p1 that allows unauthenticated remote code execution as root. Discovered by Qualys, the flaw affects an estimated 700,000 publicly exposed servers. Administrators should upgrade to OpenSSH 9.8p1 immediately or set LoginGraceTime 0 as a temporary workaround.
Apple Expands DarkSword Exploit Kit Mitigations Across Device Fleet After State-Sponsored and Spyware Vendor Abuse
Apple has expanded mitigations against the DarkSword exploit kit to additional devices after the toolkit was used in operations by state-sponsored threat groups and commercial spyware vendors. The expansion follows Apple's standard model of phased protection rollouts across its device ecosystem. All Apple device owners should apply the latest OS updates immediately, and high-risk individuals should enable Lockdown Mode.
CVE-2026-20093: Critical Cisco IMC Authentication Bypass Carries CVSS 9.8
Cisco has patched CVE-2026-20093, a critical authentication bypass vulnerability in the Cisco Integrated Management Controller (IMC) with a CVSS score of 9.8. An unauthenticated remote attacker can exploit the flaw to bypass authentication and gain elevated privileges over affected hardware management interfaces. Administrators should apply Cisco's patch immediately and restrict IMC network access to isolated management VLANs.